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1 Introduction 

We consider the list decoding of one-point algebraic geometry (AG) codes. Gu- 
ruswami and Sudan [211 proposed the well-known list decoding algorithm for 
one-point AG codes, which consists of the interpolation step and the factoriza- 
tion step. The interpolation step has large computational complexity and many 
researchers have proposed faster interpolation steps, see [|5l Figure 1]. 

By modifying the unique decoding algorithm [25\ for primal one-point AG 
codes, we propose another list decoding algorithm based on voting in Grobner 
bases whose error correcting capability is higher than [GTI and whose computa- 
tional complexity is smaller than [|5l |2T1 in many cases. A decoding algorithm 
for primal one-point AG codes was proposed in [1291 , which was a straightforward 
adaptation of the original Feng-Rao majority voting for the dual AG codes [13J to 
the primal ones. The Feng-Rao majority voting in [29| for one -point primal codes 
was generalized to multi-point primal codes in [6, Section 2.5]. The one-point 
primal codes can also be decoded as multi-point dual codes with majority voting 
iSmillOl, whose faster version was proposed in [38] for multi-point Hermitian 
codes. Lee, Bras-Amoros and O' Sullivan [25] proposed another unique decoding 
(not list decoding) algorithm for primal codes based on the majority voting inside 
Grobner bases. The module used by them [|25l is a curve theoretic generalization 
of one used for Reed-Solomon codes in [2]. An interesting feature in [|25l is that 
it did not use differentials and residues on curves for its majority voting, while 
they were used in [6, 29 1. The above studies [61 [25] |29] dealt with the primal 
codes. Chen [8], Elbr0nd Jensen et al. [12] and Bras-Amoros et al. [VJ studied the 
error-correcting capability of the Feng-Rao [[131 or the BMS algorithm [[37] |39l 
with majority voting beyond half the designed distance that are applicable to the 
dual one-point codes. 

There was room for improvements in the original result ['25], namely, (a) they 
have not clarified the relation between its error-correcting capability and existing 
minimum distance lower bounds except for the one-point Hermitian codes, (b) 
they have not analyzed the computational complexity, (c) they assumed that the 
maximum pole order used for code construction is less than the code length, and 
(d) they have not shown how to use the method with the Feng-Rao improved code 
construction [14]. We shall (1) prove that the error-correcting capability of the 
original proposal is always equal to half of the bound in [|3l for the minimum dis- 
tance of one-point primal codes (Proposition |6]), (2) generalize their algorithm to 
work with any one-point AG codes, (3) modify their algorithm to a list decoding 
algorithm, (4) remove the assumptions (c) and (d) above, (5) remove unnecessary 



computational steps from the original proposal, (6) analyze the computational 
complexity in terms of the number of multiplications and divisions in the finite 
field. The proposed algorithm is implemented on the Singular computer algebra 
system EOl . and we verified that the proposed algorithm can correct more errors 
than (51 1211 with manageable computational complexity. 

This paper is organized as follows: Section |2]introduces notations and relevant 
facts. Section |3] improves Il25l in various ways, and the differences to the original 
[|25l are summarized in Section |3^ Section |4] shows that the proposed modifica- 
tion to [l25l works as claimed. Section |5] compares its computational complexity 
with the conventional methods. Section [6] concludes the paper. 

2 Notation and Preliminary 

Our study heavily relies on the standard form of algebraic curves introduced inde- 
pendently by Pellikaan |fT9ll and Miura [|32l , which is an enhancement of earlier 
results [Sjj i34jl- Let F/F^ be an algebraic function field of one variable over a 
finite field F^ with q elements. Let g be the genus of F . Fix n + 1 distinct places 
Q, P\, . . ., Pn oi degree one in F and a nonnegative integer u. We consider the 
following one-point algebraic geometry (AG) code 

Cu = {ev(/) I / e £(uQ)} (1) 

where ev(/) = {/(Pi), . . . , /(/'„)). Suppose that the Weierstrass semigroup H{Q) 
at Q is generated by ai, . . . , a,, and choose t elements xi, . . ., Xt in F whose pole 
divisors are (;c,)oo = ciiQ for i = I, . . ., t. We do not assume that ai is the smallest 
among ai, . . . , a,. Without loss of generality we may assume the availability of 
such xi, . . . , Xt, because otherwise we cannot find a basis of C„ for every u. Then 
we have that £iooQ) = {J°l^£(iQ) is equal to Fg[;ci, ..., x,] [[Ml- We express 
£.(ooQ) as a residue class ring F^[Xi, . . . , X,]// of the polynomial ring ¥y[Xi, 
. . . , X,], where Xi, . . . , X, are transcendental over F^, and / is the kernel of the 
canonical homomorphism sending X, to xi. Pellikaan and Miura [fT9ll32l identified 
the following convenient representation of Jl(ooQ) by using Grobner basis theory 
OJ. The following review is borrowed from [|28l . Hereafter, we assume that the 
reader is familiar with the Grobner basis theory in [T]. 

Let N() be the set of nonnegative integers. For (mi, . . . , nit), («i, . . . , n;) e Nq, 
we define the weighted reverse lexicographic monomial order > such that (mi, 

. . . , nit) > {ni, . . .,nt) ifuinii + ■ ■ ■ + atnit > ain\ H l-a,n,, or aim i + ■ ■ ■ + atmt = 

a\ni + ••• + Ufn,, and mi = n^, mj = n2, . . . , m,_i = n,_i, m, < n,-, for some 



I < i < t. Note that a Grobner basis of / with respect to > can be computed by 
[1341 Theorem 15], EOl, flU Theorem 4.1] or EH Proposition 2.17], starting from 
any affine defining equations of F/Fg. 



Example 1 According to l\22\ Example 3. 7], 

u^v + v^ + u = 

is an affine defining equation for the Klein quartic over Fg. There exists a unique 
¥ ^-rational place Q such that (v)co = 3Q, (mv)oo = 5Q, and (m^v)oo = VQ. The 
numbers 3, 5 and 7 is the minimal generating set of the Weierstrass semigroup at 
Q. Choosing v as xi, uv as X2 and u^v as X3, by l\42\ Theorem 4.1] we can see that 
the standard form of the Klein quartic is given by 

X2 + X^Xi , X3X2 + Xi + X2, X3 + X2X^ + X3 , 

which is the reduced Grobner basis with respect to the monomial order >. We can 
see that a^ = 3, aj = 5, and a^, = 7. 

Example 2 Consider the function field F9(mi, V2, V3) with relations 

vl+V2 = u\, V3 + V3 = {V2lUif. (2) 

This is the third function field in the asymptotically good tower introduced by 
Garcia and Stichtenoth / 176l/ . Substituting V2 with U1U2 and V3 with M2M3 in Eq. (12]) 
we have affine defining equations 

MjM2 + "2 - "i =0, M2"3 + U3 - U2 = 0. 

The function Ui has a unique pole Q in '¥'){u\, U2, Uj,) = Fg(ui,V2, V3). The minimal 
generating set of the Weiestrass semigroup H(Q) at Q is 9, 12, 22, 28, 32 and 35 
l{45\ Example 4.11]. It has genus 22 and 77 Fg-rational points different from Q 

Define six functions Xi = Ui, X2 = U1U2, x^ = u\u2Uj„ Xi, = ulu^Uy X5 = 
((uiU2)^ + 1)m2M3 '^nd X(, = {{U1U2Y + \)u\u\. We have {xi)oo = 9Q, (.'C2)oo = 
122, fe)oo = 222, (-^4)00 = 352, (■^5)00 = 282 ^nd (x6)co = 322 [43]. From 
this information and Iji42\ Theorem 4.1] we can compute the 15 polynomials in 
the reduced Grobner basis of the ideal I c F9[Xi, ..., X(,] defining £.{ooQ) as 
{X^ — Xj +X2, X^X2—Xt,X^, X(,X2—XhX\, X^ —X^Xi, X3X2 —X=,X^ +X3, X5X3 —X(,Xy, 
X(,Xt, — X. + X^X, + X2X., X^ — X4X2X1 — X(„ X4X3 — X2X. + X-^X. + XjXi, 



^6 ~ ^5^1 + ^4^2^1 + ^3^1 + X(„ X(,X4. — X^X^ + X(,X^ + X3X2X1, X4 - X3Z2XJ + 

X4XJ + XjXj - X3}. A^o?e that polynomials in the above Grobner basis are in 
the ascending order with respect to the monomial order < while terms in each 
polynomial are in the descending order with respect to < 

For / = 0, . . . , ai - 1, we define Z?, = min{m e H{Q) \ m = i (mod ai)}, 
and Li to be the minimum element (mi, . . . , m^) e Nq with respect to < such that 
aimi + ■ ■ ■ + a,mf = bj. Note that Z7,'s are the well-known Apery set [|33l Lemmas 
2.4 and 2.6] of the numerical semigroup H{Q). Then we have £i = if we write 
Li as (£u ..., £,). For each L,- = (0, ^,2, ■ ■ ■ , 4), define yi = x^ ■ ■ ■ xf' e £(ck>Q). 

The footprint of /, denoted by A(/), is {(mj, . . . , m,) e NJ, | Xf ■ ■ -Xf" is 
not the leading monomial of any nonzero polynomial in / with respect to <}, and 
define Qq = {;c™' • • • x^^' \ (mi, . . . , m^) e A(/)}. Then Qq is a basis of X(c>o2) as 
an Fg-linear space [HI, two distinct elements in Qq have difi'erent pole orders at Q, 
and 

= {<4^ • • • , xf' I m G No, (0, 4, . . . , A) e {Z^o, • • • , ^a^-i }} 

= {y;V,|meNo,/ = 0,...,ai-l}. (3) 

Equation (|3]) shows that £.(ooQ) is a free Fg[xi]-module with a basis {jo, •••, 
ja,_i}. Note that the above structured shape of Qq reflects the well-known prop- 
erty of every weighted reverse lexicographic monomial order, see the paragraph 
preceding to [11,, Proposition 15.12]. 

Example 3 For the curve in ExampleUl we have yo = \, yi = X3, yj = X2. 

Let vq be the unique valuation in F associated with the place Q. The semi- 
group H(Q) is equal to {iai - Vgiyj) \ < i,0 < j < a^} ^3\ Lemma 2.6]. By 
[|28l Proposition 3.18], for each nongap s e H{Q) there is a unique monomial 
x\yj G X(oo2) with < 7 < ai such that -VQ{x\yj) = s, and let us denote this 
monomial by (p^. Let Y G H{Q), and we may consider the one-point codes 

Cr = ({ev(^,) I s G F}), (4) 

where (•) denotes the F^-linear space spanned by •. Since considering linearly 
dependent rows in a generator matrix has no merit, we assume 

r c H(Q), (5) 



where H{Q) = {u e H{Q) \ Cu ^ C„„i}. One motivation for considering these 
codes is that it was shown in [3| how to increase the dimension of the one-point 
codes without decreasing the lower bound Jag for the minimum distance. The 
bound JagCCf) is defined for Cp as follows L3J: For s eY, let 

A{s) = '^{jeH{Q)\j + seH{Q)}. (6) 

Then JAoCCr) = min{/l(5') | 5 e F}. It is proved in [jTTll that dAo gives the same 
estimate for the minimum distance as the Feng-Rao bound [fT3]| for one-point dual 
AG codes when both Jag and the Feng-Rao bound can be applied, that is, when 
the dual of a one-point code is isometric to a one-point code. Furthermore, it is 
also proved in [17J that JagCCf) can be obtained from the bounds in yj |9l [TOl . 
hence Jag can be understood as a particular case of these bounds [SI l9l[T0l. 

3 Procedure of New List Decoding based on Voting 
in Grobner Bases 

3.1 Overall Structure 

Suppose that we have a received word r e F^. We shall modify the unique decod- 
ing algorithm proposed by Lee et al. [25] so that we can find all the codewords in 
Cy in Eq. (HI) within the Hamming distance r from r. The overall structure of the 
modified algorithm is as follows: 

1 . Precomputation before getting a received word r, 

2. Initialization after getting a received word r, 

3. Termination criteria of the iteration, and 

4. Main part of the iteration. 

Steps |2] and m are based on [|25l . Steps [T] and |3] are not given in ['251. Each step 
is described in the following subsections in Section [3] We shall analyze time 
complexity except the precomputation part of the algorithm. 



3.2 Modified Definitions for the Proposed Modification 

We retain notations from Section |2] In this subsection, we modify notations and 
definitions in ||25l to describe the proposed modification to their algorithm. We 
also introduce several new notations. Define a set Qi = {x'^yjz'^ \0 < i,0 < j < a\, 
k = Q,\]- Our Qi is Q in [25] . Recall also that Qq = (v. U e H{Q)\. 

Since the F^y[xi] -module X.{ooQ)z ® £,{coQ) has a free basis [yjZ,yj I < 
J < a\}, we can regard Qi as the set of monomials in the Grobner basis theory 
for modules. We introduce a monomial order on Qi as follows. For given two 
monomials x'lyjz''*^ and x/j/^'/'+i, first rewrite yj and yj> by .)C2, . . . , Xt defined in 
Section |2] and get x'lyjz''*^ = x'^x'^ • • -x'jt'*^ and x'lyfz'''*'' = x'lx^ ■ ■ ■x)z'''*^. For a 
nongap s e H{Q), we define the monomial order x''^x'^ ■ • ■ x^t'*^ <s x'lx^ ■ ■ ■ x)z'''*^ 
parametrized by s if ?',+i5 - Vq{x''Ix'2 ■ ■ ■ x)) < i\^^s - vqixlx^ ■ ■ ■ xj) or i,+is - 

i' i' i' 

VQ(x'yX'2 ■ • ■ x]') = ?^^j5 - Vq{xIx^ ' ' ' ^t) ^^'^ h = i'l, h = ?2' • • • ' '^-i ~ ^'e-i ^^'^ 
i( > i'^ for some 1 < £ < t + \. Observe that the restriction of <., to Qq is equal 
to < defined in Section [21 In what follows, every Grobner basis, leading term, 
and leading coefficient is obtained by considering the Grobner basis theory for 
modules, not for ideals. 

For / G £.(ooQ)z © -C{ooQ), y{f) denotes the number of nonzero terms in / 
when / is expressed as an F^-linear combination of monomials in 0.\. y^^iif) 
denotes the number of nonzero terms whose coefficients are not 1 e F^^. 

For the code Cp in Eq. ([4]), define the divisor D = Pi + ■ • ■ + P„. Define 
£(-G + ooQ) = U,^i £{-G + iQ) for a divisor G of F/F^. Then £{-0 + ooQ) is an 
ideal of £.{ooQ) [|27l . Let rji be any element in £{-D+ooQ) such that iMirji) = x[yi 
with j being the minimal given /. Then by [|25l Proposition 1], {t/q, . . . , /7a,_i} is 
a Grobner basis for £{-D + ooQ) with respect to <s as an F^[.)Ci] -module. For a 
nonnegative integer s, define F*^--^^ = {5' e F | 5' < s}, Y^^^^ = {s' eY \ s' > s], and 
prec(i') = maxf*' e H{Q) \ s' < s}. We define prec(O) = -1. 

3.3 Precompuation before Getting a Received Word 

Before getting r, we need to compute the Pellikaan-Miura standard form of the 
algebraic curve, yo(= 1)^ Ju ■■■, Jch-y, and ip^ for s e H(Q) as defined in Section 
|2l Also compute 770, . . . ,riai-\, which can be done by [27J. 

For each (/, j), express yiyj as an F^-linear combination of monomials in Qq- 
Such expressions will be used for computing products and quotients in £.(ooQ) 
as explained in Section 13.4.11 From the above data, we can easily know Lc(y,jj), 



7 



which will be used in Eqs. (fT4l) and (l22l) . 

Find elements ip^ e Qo with s e H(Q). There are « such elements, which we 
denote by i/rj, . . . i/r,, such that -VQ{if/i) < -vgiil/t+i). Compute the nx n matrix 



M 



^ MPl) ■■■ 'AlC/'n) ^"' 



I (A„(Pl) • • • l/fniPn) 



(7) 



3.4 Multiplication and Division in an Affine Coordinate Ring 

In both original unique decoding algorithm [|25l and our modified version, we 
need to quickly compute the product gh of two elements g, h in the affine coordi- 
nate ring -C{ooQ). In our modified version, we also need to compute the quotient 
g/h depending on the choice of iteration termination criterion described in Sec- 
tion 13.61 Since the authors could not find quick computational procedures for 
those tasks in £.{ooQ), we shall present such ones here. 

3.4.1 Multiplication in an Affine Coordinate Ring 

The normal form of g, for g e -C(ooQ), is the expression of g written as an F^- 
linear combination of monomials (ps e fio. g, h are assumed to be in the normal 
form. We propose the following procedure to compute the normal form of gh. Let 
the normal form of ytyj be 

a[-l 
k=Q 

with fij^k(xi) e Fg[xi], which is computed in Section |33l 

We denote by Xi, Yi, . . . , Ya^^i algebraically independent variables over F^. 

1. Assume that g and h are in their normal forms. Change j, to 7, and Xi to Xi 
in g, h for / = 1, . . . , ai - 1. Recall that yo = I. Denote the results by G, H. 

2. Compute GH. This step needs 

7(.g) X 7(h) (8) 

multiplications in F^. 



3. Let GH = 'LQ<ij<a, YiYjFG,H,u(Xi)- Then we have 



ai-l 



gh= ^ F'G,H,i,j(xi)^ykfij,k(^i)- 

0<i,j<ai 



(9) 



k=0 



Computation of Fg,hj.j(Xi) Y^Zq ykfij,k(xi) needs at most yMZZo ykfij,k(xi)) 
yiFc.Hjji^i)) multiplications in F^. Therefore, the total number of multipli- 
cations in Fq in this step is at most 



a,-l 



^ r(^G,//,/,y(^i))7*i(^ ykfij,k{xi)). 



(10) 



k=0 



0<i,j<ai 

Therefore, the total number of multiplications in F^^ is at most 



a\ — \ 



y{g) X y{h) + Yj yiFG,H,i,j{xi))y^i{Yj Jkluki^))- 

0<ij<ai 



(11) 



k=Q 



Define Eq. (fTTl) as multi(^, h). 

We emphasize that when the characteristic of F^^ is 2 and all the coefficients of 
defining equations belong to F2, which is almost always the case for those cases 
of interest for applications in coding theory, then y^iCZ^io^ ykfij,k{x\)) in Eq. ([TT]) 
is zero. This means that £.{ooQ) has little additional overhead over F^[X] for 
computing products of their elements in terms of the number of F^-multiplications 
and divisions. 

Remark 4 Define (z, j) to be equivalent to (z', /) ifyiyj = yi'yf e £.{ooQ). Denote 
by [z, j] the equivalence class represented by (z, j). For (z, j), (z', /) e [z, j] we have 
fi,i,k{xi) = fi'j\k(.xi), which is denoted by fiijikixi). The right hand side ofEq. ([9]) 
can be written as 



\fli-i 



UJ] \(i' J')e[iJ] 



(12) 



/ k=Q 



By using Eq. ([72]) instead ofEq. ((9]), we have another upper bound on the number 
of multiplications as 



a\—l 



y{g)xy{h) + J^y Y^ FcHd'jixi) y^iij^ykfujuixi)). (13) 



[/,;•] \{i',j'MiJ] 



k=Q 



Since 

( 
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WJ'MUj] 



^ FcHJ'ji^i) ^ ^ y{FG,H,i'j{x{)), 



we have Eg. (1221) < Eg. HTD . However, Eg. f TOl) is almost always the same as Eg. 
4771) over the curve in Example H] and Eg. ( 17?1) will not be used in our computer 
experiments in Section \5\ 

3.4.2 Computation of the Quotient 

Assume h i^ 0. The following procedure computes the quotient g/h e -CiooQ) or 
declares that g does not belong to the principal ideal of -CiooQ) generated by h. 

1 . Initialize cr = 0. Also initialize ^ = 0. 

2. Check if -vgig) e -vgih) + H(Q). If not, declare that g does not belong to 
the principal ideal of £.(ooQ) generated by h, and finish the procedure. 

3. Let (fs e flo such that -vgig) = -vgiipsh). Observe that Lc((psLM(h)) = 
i^ciys mod aJ-VQ{h) mod ai) and that hc(y, mod aJ^VQih) mod ai) IS prccomputcd as 
Section 1331 Let 

Fg3t = LC(^)/(LC(/i) X LC{(p,LM(h)) ). (14) 

Precomputed in Section |33] 

Computation of t(ps needs one multiplication and one division in F^. Ob- 
serve that -vgig - tipji) < -VQ{g). 

4. Compute the normal form of t(fsh, which requires at most rmx\\.i{tips, h) mul- 
tiplications in F^^. Increment ^ by 2 -I- multi(Z^^^, h). 

5. Update cr «— cr -i- ti^s and g <^ g- tip^h. If the updated g is zero, then output 
the updated cr as the quotient and finish the procedure. Otherwise go to Step 
121 This step has no multiplication nor division. 

Define quot(g, h) as ^ after finishing the above procedure. quot(^, h) is an upper 
bound on the number of multiplications and divisions in F^^ in the above procedure. 
The program variable ^ is just to define quot(^, h), and the decoding algorithm 
does not need to update ^. Observe also that the above procedure is a straightfor- 
ward generalization of the standard long division of two univariate polynomials 
11301. 

10 



3.5 Initialization after Getting a Received Word r 

Let (/i, . . . , inY = Mr, where M is defined in Eq. (|7]). Define hf = 2"=i iji/^j- Then 
we have ty{hf) = r. The computation of /Zj* from r needs at most n^ multiplications 
inF,. 

Let N = -VQ{hf). For z = 0, . . . , ai - 1, compute g'P = t/,- g £.(ooQ) and 
f-^^ = ytiz - h) e £{ooQ)z e £{ooQ). The computation of f.^^ needs at most 
muh.i{yi,hii) multiplications in F^. Therefore, the total number of multiplications 
in the initialization is at most 

ai-l 

n^ + J^mu\tiiyi,hr). (15) 

(=0 

Let s = N and execute the following steps. 

3.6 Three Termination Criteria of the Iteration 

After finishing the initialization step in Section I3.5[ we iteratively compute fj 
and gf with A^ > ^ e i/(2) U {-1} and w, with N > s e H(Q) from larger s to 
smaller s. The single iteration consists of two parts: The first part is to check if an 
iteration termination criterion is satisfied. The second part is computation of f^ 
and gf^ forN>se H(Q) U {-1}. We describe the first part in Section U!6l 

Let /n,in = ao+ zai having the smallest -VgCo-i) among fl^'\ ..., /j'lj. In 
the following subsections, we shall propose three diff"erent procedures to judge 
whether or not iterations in the proposed algorithm can be terminated. In an actual 
implementation of the proposed algorithm, one criterion is chosen and the chosen 
one is consistently used throughout the iterations. The first one and the second 
one are diff"erent generalizations!!! of [2, Theorem 12] for the case g = Qio g > Q. 
The third one is almost the same as the original procedure in [|25l . The first one 
was proposed in [[T8| while the second and the third ones are new in this paper. We 
shall compare the three criteria in Sec. 15.21 Throughout this paper, wt(.^ denotes 
the Hamming weight of a vector x e F^. 



' Ali and Kuijper proved in [2, Theorem 12] that if the number 5 of errors satisfies 26 < dssiCs), 
where d^^iCs) is the minimum distance n - s of the [n, s + 1] Reed-Solomon code Cj, then the 
transmitted information word is obtained by Ali-Kuijper's algorithm as -ao/o'i ■ To one-point pri- 
mal AG codes, d^^{Cs) can be generalized as either c/ag(Cs) orn-s-g. The former generalization 
dkciCs) corresponds to the first criterion in Section 13.6. H and the latter n - s - g corresponds to 
the second in Section [J.6.2| 
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3.6.1 First Criterion for Judging Termination 

If 

• s eY, 

• JAG(Cr(i')) > 2t, and 

• -VgCtti) <T + g 

then do the following: 

1. Compute q'o/q'i e F. This needs at most 

quot(Q'(),ai) (16) 

multiplications and divisions in F^. 

2. If ao/ai e -C{ooQ) and ao/ai can be written as a linear combination of 
monomials in {(p^' e s' e F*^-^^}, then do the following: 

(a) If JagCCf) > 2r or -vgiai) < r then include the coefficients of 
-tto/o'i + Z.s'er<>') w^.v'V'.v' into the list of transmitted information vec- 
tors, and avoid proceeding with the rest of the decoding procedure. 

(b) Otherwise compute ey(-ao/ai + 2.«'er(>') ^s'^s')- This needs at most 



ny(-ao/ai + 2_j ^^.v^.v) (17) 



.v'er(>') 



multiplications and divisions in F^. 
(c) If 



wt 



ev(-ao/«i + 2_j ^■^'^■*') ~ ^ 



( \ 

<T, 

then include the coefficients of -o-o/ai + 2.s'er<>') ^s'^s' into the list of 
transmitted information vectors, and avoid proceeding with s. Other- 
wise, continue the iterations unless s < n - g - 2t. 
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3.6.2 Second Criterion for Judging Termination 

If 5 = max{5' eY \ s' < n -2t + g}, then do the following: 

1. If -Vgiai) > T + g then stop proceeding with iteration. 

2. Otherwise compute o-o/o-i e F. This needs at most 

quot(Q'(),ai) (18) 

multiplications and divisions in F^. 

3. If 2t < JagCCf), cuo/ai e -C{ooQ), and ao/ai can be written as a linear 
combination of monomials in {(p^' e s' e F^-'^} then declare the coefficients 
of -tto/o'i + Zs'erO') ^s'^s' as the only transmitted information and finish. 
Otherwise declare "decoding failure" and finish. 

4. If 2t > JagCCf), ao/cni e -C{ooQ) and ao/ai can be written as a linear 
combination of monomials in {i^v' & s' e F^-'^}, then do the following: 

(a) If -vgiai) < T then include the coefficients of -ao/ai + Z.«'er(>') '^^s'<Ps' 
into the list of transmitted information vectors, and avoid proceeding 
with s. 

(b) Otherwise compute ev(-Q'()/a;i + 2.v'gr<>') Ws'(Ps')- This needs at most 

ny(-ao/ai + 2_j i^.v'V.v') (19) 

multiplications and divisions in F^. 

(c) If 

ew(-ao/ai + ^ w,'(fi,') - r < t, 

then include the coefficients of -ao/a^ + Zs'ero') ^s'^s' into the list of 
transmitted information vectors. 

5. Finish the iteration no matter what happened in the above steps. 



wt 
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3.6.3 Third Criterion for Judging Termination 

Just repeat the iteration until finding yj.^'^ at s = -1 for / = 0, . . . , ai - 1. If 2t < 
^AG(Cr) then declare the vector (w, : 5 e F) as the only transmitted information 
and finish. 

If 2r > JagCCf) then do the following: 

1. If ao = and -Vq(q'i) < r then include the vector (w., : 5 6 F) into the list 
of transmitted information vectors. Finish the iteration. 

2. If -vgiai) > T + g then finish the iteration. 

3. Otherwise compute ev(2ier^.vVi)- This needs at most 

nyi^ w.ifs) (20) 

.ver 

multiplications and divisions in F^. 

4. If 

wt 



ev(^ w,^,) - r < T, 

seT ) 



then include the vector (Wv : ^ 6 F) into the list of transmitted information 
vectors. Finish the iteration. 

3.7 Iteration of Pairing, Voting, and Rebasing 



The iteration of the original algorithm [1251 consists of three steps, called pairing, 
voting, and rebasing. We will make a small change to the original. Our modified 
version is described below. 



3.7.1 Pairing 

Let 



■?!''*= J] ^'-i^J^^ Yu <^<j3'y' withc;j,(i;jeFg[xi], 

0<y'<fli 0<y'<ai 

fl''= Yj ^''jyj^+ Z bijyj, with aij,bijeF^[xy], 



0<j<a[ 0<j<a[ 
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and let vf^ = Lc(dij). We assume that LT(f.^^) = a^ytz and LT(g|*^) = dijyi. For 
< / < ai, as in [25] there are unique integers < i' < ai and fc, satisfying 

-vgiauyd + s = aiki - VqCv,v). 

Note that by the definition above 

/' = i + s mod ai, (21) 

and the integer -Vgia^yi) + 5 is a nongap if and only if kf > 0. Now let c,- = 
dcg^^(di'f) - hi. Note that the map i i-> /' is a permutation of {0, 1, . . . , a - 1} and 
that the integer c, is defined such that aic,- = -VQ{di'j>yi>) + VQ(a,-,,j;) - s. 

3.7.2 Voting 

For each / e {0, . . . ai - 1 }, we set 

IXi = Lc(aijyi(p,), Wsj = , Ci = max{c;,0}, (22) 

where bij'[x^] denotes the coefficient of Xkg of the univariate polynomial bij' £ 
Fg[xi]. We remark that the leading coefficient //, must be considered after ex- 
pressing aijyi(ps by monomials in Qq- 

Observe that lc();,(^,) = Lciyiy, ^od «i ) and that Lciy^y, ^^d «i ) is already precom- 
puted as Section 13.31 By using that precomputed table, computation of ju, needs 
one multiplication. The total number of multiplications and divisions in Eq. (|22l) 
is 

2ai (23) 

excluding negation from the number of multiplication. 
Let 

v(^) = — Yj max{-ve(77,v) + vgiyd - s, 0}. (24) 

We consider two different candidates depending on whether 5 e F or not: 

• If 5 e HiQ) \ F, set 

w = 0. (25) 

• If 5 e F, let w be one of the element(s) in F^ with 

2 c,> _2 c,-2t + v(5). (26) 

Let Ws = w. If several w's satisfy the condition above, repeat the rest of the 
algorithm for each of them. 
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3.7.3 Rebasing 

In all of the following cases, we need to compute the normal form of the product 
wips X Z"io' '^'jyj' ^'^^ ^^^ product wips x Yi"^^ '^ijyj- For ^^ch /, the number of 
multiplications is 

< multi(w^,, ^ Uijyj) + multi(w^„ ^ djyj), (27) 

i=0 ;=0 

where multi(-, ■) is defined in Section [3.4.1[ 

• If Wsj = w, then let 

^(prec(.)) ^ ^(.,^^ ^ ^^^^ 

where the parentheses denote substitution of the variable z and let y^^^^^^^'' = 
v\^\ The number of multiplications in this case is bounded by Eq. (|27] ). 

• If Wsj 4^ w and c, > 0, then let 

(prec(.s)) /-(.v)/ , \ 

fi = x;fl \z + wip,) - ^^^^pr^g], \z + wip,) 

and let v:r = /i,(w - Wi,,). 

Computation of ^^ ~J" needs one multiplication and one division. The 

product of ^ ""',7' ^i^d g|f\z + wi^i) needs 7(g|f\z + wi^v)) multiplications, 

where y is defined in Section [3.4.1[ Thus, the number of multiplications and 
divisions is 

< 2 + yiifiz + w.)) + Eq. ^. (28) 

• If Ws^i ^ w and c, < 0, then let 

(prec(i)) (s)t , X 

ii = fi \Z + M^<^.v) - ^(.,) -^1 \?-' (Z + M^'^.v) 

and let yf''^'''^ = ^/^\ 
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Computation of ^' '^j "''' needs one multiplication and one division. The 

product of ^ ""',7' ^iid g]f{z + wif^) needs y(g\^\z + Wip^)) multiplications, 

where y is defined in Section [3.4.1[ Thus, the number of multiplications and 
divisions is < Eq. (|28] ). 

After computing fj^^^'^^^'^'' and ^^p'''^'^'^'*" as above, update the program variable s to 
prec(i') and go to the beginning of Section [X6l 

3.8 Difference to the Original Method 

In this subsection, we review advantages of our modified algorithm over the orig- 
inal 11251 . 

• Our version can handle any one-point primal AG codes, while the original 
can handle codes only coming from the Cat curves [1311 . This generalization 
is enabled only by replacing y in [1251 by yj defined in Section [2l 

• Our version can find all the codeword within Hamming distance r from the 
received word r, while the original is a unique decoding algorithm. 

• Our version does not compute f.'^\ gf^ for a Weiestrass gap s i H{Q), while 
the original computes them for N > s ^ H(Q). 

• The original algorithm assumed u < n, where u is as defined in Eq. ([T]). 
This assumption is replaced by another less restrictive assumption (|5]) in 
our version. 

• Our version supports the Feng-Rao improved code construction [|T4l . while 
the original does not. This extension is made possible by the change at Eq. 
(|25l). 

• The first and the second termination criteria come from [^ Theorem 12] 
and do not exist in the original [13]. 

• The third termination criterion is essentially the same as the original [|25l . 
but examination of the Hamming distance between the decoded codeword 
and r is added when 2t > JagCCf)- 



• The original [[251 is suitable for parallel implementation on electric circuit 
similar to the Kotter architecture [14]. Our modified version retains this 
advantage. 
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4 Theoretical Analysis of the Proposed Modification 

In this section we prove that our modified algorithm can find all the codewords 
within Hamming distance r from the received word r. We also give upper bounds 
on the number of iterations in Section 14.61 



4.1 Supporting Lemmas 

In Section 14.11 we shall introduce several lemmas necessary in Sections 14. 21 - 14. 51 
Recall that the execution of our modified algorithm can branch when there are 
multiple candidates satisfying the condition (|26l ). For a fixed sequence of deter- 
mined Wv, define r^^^ = r and recursively define r'P'^^'^^^W = ^v) _ ev(w.5i^v)- By 
definition r*"'^ = r- ev{'Z,ser'^s'Ps)- 

The following lemma explains why the authors include "Grobner bases" in the 
paper title. The module Ijkn) was used in [|5l [151 |26l [351 [361 but the use of IfK-<) with 
s < max r was new in [[251 . 

Lemma 5 Fix s e H{Q) U {-1}. Let r^^^ correspond to w^ (s e Y) chosen by the 
decoding algorithm. Define the Fq[xi]-submodule Ijks) of£,{ooQ)z ® £.{ooQ) by 

liK.) = {ao + aiz I ao, ay e £{ooQ), 

vp,iao + rfai)> 1,1 <i<n}, (29) 

where r"^*^ = (r\ , ..., r„ ). Then {/^ , g. \ i = 0, . . . , ai - 1} is a Grobner basis 
ofIf{s) with respect to <., as an Fq[xi]-module. 

Proof. This lemma is a generalization of [[251 Proposition 11]. We can prove this 
lemma in exactly the same way as the proof of [[251 Proposition 11] with replacing 
y in [25] with yj and i' - 1 in [[251 by precC*). ■ 

The following proposition shows that the original decoding algorithm [[25l can 
correct errors up to half the bound JagCCf), which was not claimed in [[25l[ . 



Proposition 6 Fix s eY. Let A(s) as defined in Eq. @ and v{s) as defined in Eq. 
^. Then v{s) = A(s). 

Proof. Let T, = {j e H{Q) \ j = i (mod ai),j + s e H{Q)], then we have 
A{s) = tiro + • • • + tlr„,_i. Moreover, observe that 

H{Q) \ H{Q) = {-VQir]i4) \i = 0,...,ai-l,k = 0,l,...}. 
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Therefore, for s eY we. have 

Ti = {j e HiQ) \j = i (mod a,), j + se H{Q)] 

= {J e H{Q) \j = i (mod aO, j + s€ H(Q) \ H(Q)} 

= {j e HiQ) \j = i (mod aO, j + s€ {-VQir]r4) \k>0}} 

= {-ve(j/0 I s - VQiytx^) i {-vq{i],x\) I k > 0}}, 

where the third equality holds by Eq. (|2TI ). By the equalities above, we see 
P^i = max \ 0, 



-Vq{Xi) 

which proves the equality v{s) = A{s). ■ 

Lee et al. [25] showed that their original decoding algorithm can correct up 
to L('5?LBAo(C„) - 1)/2J errors, where Jlbao(C„) = min{v(^) | s e H{Q), s < u). 
Proposition [6] implies that (iLBAo(Ci,) is equivalent to dAoiCu) for every one-point 
primal code C„, and therefore [3 , Theorem 8] implies [|25l Proposition 12]. 

4.2 Lower Bound for the Number of Votes 

In Section l4~2l we discuss the number of votes (l26l) which a candidate Wgj receives. 
Since we study list decoding, we cannot assume the original transmitted codeword 
nor the error vector as in [|25l . Nevertheless, the original theorems in [I25II allow 
natural generalizations to the list decoding context. 

Lemma 7 Fix s eY. For s' e Y^-^'^\ fix a sequence ofWs> chosen by the decoding 
algorithm, and define r^"^ corresponding to the chosen sequence ofws'- Fix cOs G 
F^. Let e = (ei, . . . , e„Y be a nonzero vector with the minimum Hamming weight 
in the coset r^^^ - ev{cOs^s) + C^-i, where C^^i is as defined in Eq. ([Tp. Define 



J? = f]£i-Pi + ^Q) 






= X 



^Q-Y.Pi 



ooc 



(bym). 



Let [eo, . . . , 6a, -i} be a Grobner basis for J^ as an Fq[xi]-module with respect to 



k, 



<s (for any integer s), such that LM(ey) = x^^j. 
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Under the above notations, we have 

-VQ{6i) + VQiaijji) > aiCi, 
mm{-VQ(6i) + s,-VQ(7]i,)} > -VQ(di>j>yi'), 

for i with w.v,r i^ cOs, and 

min{-VQ(eO + s, -VQ{rir)] > -VQidv^ryr) - aiCi, 

for i with w^j = cOs- 

Proof. The proof is the same as those of [|25l Propositions 7 and 8], with replacing 
y in nasi by yj, 6{-) in HH by -Vq{-). m 

The following lemma is a modification to ll25l Proposition 9] for the list de- 
coding. 

Lemma 8 We retain notations from. Lemma^ We have 

+ ^ max{-VQ(?7,v) + vgiyd - s, -Vg(6,) + VgCy,)}. 



0<!<ai 

Proof. Lemma |7] implies 

2_^ aiCi > 2_j -vqidi'^vyi') - min{-VQ(6,) + s, -vq(77,v)} 

^sj—^s ^s,i—^s 

- Xi ~^eW',!'>'!') - min{-V2(6;) + s, -VqCt/^v)} 



0<(<ai 



and 



2_] aiCi < 2_j -VQi^d + VQiaijyi) 
^ Xi ~^e(^<) + VQiaijyi). 



Wsji=OJs Wsji^COs 



0<i<ai 
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Now we have a chain of inequalities 

^ Xi ~^eW'/3''') - min{-ve(6,) + s, -Ve(7/,v)} 

0<r<ai 
0<i<a[ 



0<i<ai 

- min{-ve(6,) + s, -Vq(7/,v)} + vg(6,) 

2 -VQ(rii')-VQ{yi) (30) 

0<i<ai 

+ max{+V2(6,) - s, +VQ(rji>)} + vgied 

^ max{-VQ(?7,v) + vgCyO - s, -vgiet) + vgiyd} 

0<(<fli 



^ 2(-ve(6,) + veCv,)) 



0<i<a 



where at Eq. (1301) we used the equality 

0<i<a[ 0<(<fli 

0<i<ai 0<(<ai 

= ^ (-Ve(<iM) - vg(a,-,,)) + ^ -2vgCy,) 

0<i<ai 0<(<oi 

0<i<a[ 

= 2 ^~^e('7') + ^e(>'<)) + J] -2v2(y,) 

0<r<ai 0<(<ai 



0<r<ai 0<i<ai 
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shown in [|25l Lemma 2 and Eq. (1)]. Finally note that 

^ 2{-VQ(6i) + VQ(yi)) 

0<(<fli 

= Yj 2ai deg^/6,) = 2aiwt(^ 



0<i<ai 

by nail Eq. (3)]. ■ 

The following lemma is a modification to [|25l Proposition 10] for list decod- 
ing, and provides a lower bound for the number of votes (ISFt received by any 
candidate oj^ e F^^, as indicated in the section title. 

Proposition 9 We retain notations from Lemma^ Let v{s) be as defined in Eq. 
(EH). We have 

^ c;> Yj c,- - 2wt(e) + v(^). 

Proof. We have 

2 max{-vg(?7,v) + vgiyd - s, -Vg(6,) + Vq()^,)} 

Q<i<ai 

> ^ max{-VQ(77,v) + vgiyd - s, 0} 

0<!<ai 

as -vg(6,) + vgCy,) > for < / < ai. ■ 

4.3 Correctness of the Modified List Decoding Algorithm with 
the Third Iteration Termination Criterion 

In this subsection and the following sections, we shall prove that the proposed 
list decoding algorithm will find all the codewords within the Hamming distance 
T from the received word r. Since the third iteration termination criterion is the 
easiest to analyze, we start with the third one. 

Fix a sequence Ws for 5 e F. If wt(r - ey(T,ser '^s^s)) < t then the sequence 
Ws is found by the algorithm because of Proposition |9l When 2t < JagCCf), by 
Proposition|6]the decoding is not list decoding, and the algorithm just declares the 
sequence w, as the transmitted information. 

On the other hand, if 2t > JagCCf), then the found sequence could correspond 
to a codeword more distant than Hamming distance r, and the algorithm examines 
the Hamming distance between the found codeword and the received word r. 

22 



Since computing ev(/) for / e -C{ooQ) needs many multiplications in F^, 
the algorithm checks some sufficient conditions to decide the Hamming distance 
between the found codeword and the received word r. Let r*-'^^ = (r]~ , . . . , r„ ). 
When oro = in Section [3 ■6.3[ by Lemma |5l we have 



^ Vp,(ffl) 






< 

< -ve(ai), 

because Eq. (|29l ) and cq = implies that Vp.(ai) > 1 for r|~^^ i^ 0. By the 
above equation, -Vgiai) < r implies that the found codeword is within Hamming 
distance r from f. This explains why the algorithm can avoid computation of the 
evaluation map ev in Step [H in Section [3.6.3I 

In order to explain Step |2] in Section 13.6.31 we shall show that the condition 
of Step [21 in Section [3.6.31 implies that wt(r - ev(2.ver>^.s¥'i)) > '^- Suppose that 
wt(r - ev(2ser w'.sVi)) ^ '^- Then there exists /3i e -C{ooQ) such that vp.(J3) > 1 for 
r|~^^ i^ 0, -vq(J3) <T + g, andjSiz e /,-^-i). Because the leading term of jSiz must be 
divisible by LT(f^' ) for some i by the property of Grobner bases, we must have 
-Vgiai) < -Vq(J3i). This explains why the algorithm can avoid computation of 
the evaluation map ev in Step[2]in Section [3. 6. 31 

Otherwise, the algorithm computes the Hamming distance between the found 
codeword and r in Steps [3] and [H in Section [3.6.31 

4.4 Correctness of the Modified List Decoding Algorithm with 
the Second Iteration Termination Criterion 

We shall explain why the second criterion in Section 13.6.21 correctly finds the 
required codewords. For explanation, we present slightly rephrased version of 
facts in [6}. 

Lemma 10 [^ Lemma 2.3] Let fiiz + fio e 7,-^(0 with lt(j3[Z + j3o) = lt(jSiz) with 
respect to <s and -vgifii) < n - t - s. If there exists f e £.(.sQ) such that 
wt(ev(/) - f^'^) < T, then we have f = -/3o//3i. 



Proof. Observe that lt(/3iz +/3o) = lt(jSiz) implies that -vq(j3o) < -vg(/3i) + s < 
n-T. The claim of Lemma[TO[is equivalent to [6, Lemma 2.31 with A = {n-T-l)Q 
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and G = sQ. Note that the assumption deg A > {n + deg G)/2 + ^ - 1 was not used 
in [|6l Lemma 2.3] but only in fF, Lemma 2.4]. ■ Note 

that the following proposition was essentially proved in [|6l Proposition 2.10], [|23l 
Section 14.2], and LIL Theorem 2.1] with b=\. 

Proposition 11 Let ckq and ai be as in Section \3.6.2\ If s < n - g -2t and there 
exists f e £.(sQ) such that wt(ev(/) - r*^'^^) < r, then we have f = -oro/o'i- 

Proof. Let g e Jl{ooQ) such that g{Pi) = if /(P,) ^ r|^\ and assume that g has the 
minimum pole order at Q among such elements in -CiooQ). Then -vg(^) <T + g. 
One has that gz - fg e Ijk^) and lt(^z - fg) = lt(^z) with respect to <s. By the 
property of Grobner bases, lt(^z) is divisible by LT(fl'^^) for some /, which implies 
-VgCai) < -Vgig) < T + g.By Lemma [TOl we have / = -ao/ai. m 

We explain how the procedure in Section 13.6.21 works as desired. When the 
condition in Step [T] in Section l3.6.2l is true, then there cannot be codeword within 
Hamming distance r from r^'^ by the same reason as Section 1431 So the algorithm 
stops processing with f^^\ 

When 2t < JagCCf), then the algorithm declares -ao/ai + li.v'er'>') ^s'^s' as 
the unique codeword. 

When 2t > JagCCf), then the algorithm examines the found codeword close 
enough to r in Steps |4a] and |4b] in Section [3.6.2[ When -vg(ffi) < r we can avoid 
computation of the evaluation map ev by the same reason as Section 14. 3[ which 
is checked at StepHaj Otherwise we compute the codeword vector at Stepl4b]and 
examine its Hamming distance to r^*\ 

By Proposition [TTl the codeword must be found at s = max{s' e Y \ s' < 
n - 2t + g}. Therefore, we do not execute the iteration at s < max{s' e Y \ s' < 
n -It + g]. 

4.5 Correctness of the IModified List Decoding Algorithm with 
the First Iteration Termination Criterion 

We shall explain why the first criterion in Section |3 . 6 . 1 [ correctly finds the required 
codewords. The idea behind the first criterion is that there cannot be another 
codeword within Hamming distance r from r^'^^ when the algorithm already found 
one. So the algorithm can stop iteration with smaller s once a codeword is found 

as ev(-Qro/o'i + Ii.'€rM>v*'V'i')- 

The algorithm does not examine conditions when -Vqiai) > t + ^ by the same 
reason as Sections [4.3| and |4~4| When It < dAciCr), then the algorithm declares 
-QTo/o'i + Z.s'er'>'> ^s'^s' as the unique codeword. 
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When 2t > JagCCf), then the algorithm examines the found codeword close 
enough to r in Steps [2a] - [2cl in Section [3 .6. 1[ When -Vgiai) < r we can avoid 
computation of the evaluation map ev by the same reason as Section |431 which is 
checked at Step[2al 

By Proposition nn the codeword must be found at some s > max{s' eY \ s' < 
n - 2t + g}. Therefore, we do not execute the iteration at s < max{s' e Y \ s' < 
n -It + g}. 

4.6 Upper Bound on the Number of Iterations 

For each s satisfying 2v{s) < r, the number of accepted candidates satisfying Eq. 
(I26l) can be q. Therefore, we have upper bounds for the number of iterations, 
counting executions of Rebasing in Section [3.7.3l as 

Us G H(Q) I maxT < 5 < A^} + exp^(tj{5 e Y \ 2vis) > r}) 
X Us e H{Q) U {-1} I 5<maxr} 

for the third criterion forjudging termination, where exp (jc) = q^, and 

Us 6 HiQ) I maxr < ^ < A^)} + exp^(tt{^ e Y \ 2v(s) > r}) 
X Us G HiQ) I max{^' eY \ s' < n -2t + g} < s < maxY} 

for the first and the second criteria forjudging termination. 

Observe that the list decoding can be implemented as exp (Us e Y \ 2v{s) > 
r}) parallel execution of the unique decoding. Therefore, when one can afford 
exp^iUs e r I 2v{s) > r}) parallel implementation, which increases the circuit 
size, the decoding time of list decoding is the same as that of the unique decoding. 

5 Comparison to Conventional Methods 
5.1 Simulation Condition and Results 

We have provided an upper bound on the number of multiplications and divisions 
at each step of the proposed algorithm. We simulated 1 , 000 transmissions of 
codewords with the one-point primal codes on Klein quartic over Fg with n = 23 
by using Examples [T] and [3l the one-point Hermitian codes over Fig with n = 64, 
and the one-point primal codes on the curve in Example |2] over Fg with n = 77. 
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The program is implemented on the Singular computer algebra system [|20ll . 
The program used for this simulation is included in the source file of this eprint. 

In the execution, we counted the number of iterations, (executions of Rebasing 
in Section [3.7.3I) . the sum of upper bounds on the number of multiplications and 
divisions given in Eqs. dB]), ^, (HT]), ([H, (O, ^, ^, ^ and ^, and 
the number of codewords found. Note also that Eq. (fTTT ) instead of Eq. (fT3l) is 
used. 

The parameter r is set to the same as the number of generated errors in each 
simulation condition. A^ or i? in the number of errors in Tables |2] and |3] indi- 
cates that the error vector is generated toward another codeword nearest from the 
transmitted codeword or completely randomly, respectively. The distribution of 
codewords is uniform on Cp. That of error vectors is uniform on the vectors of 
Hamming weight r. 

In the code construction, we always try to use the Feng-Rao improved con- 
struction. Specifically, for a given designed distance 6, we choose F = {i' e H{Q) \ 
A{s) = v{s) > 6}, and construct Cp of Eq. (H]). In the following, the designed dis- 
tance is denoted by ^agCCf)- It can be seen from Tables [l]-51and the following 
subsections that the computational complexity of the proposed algorithm tends to 
explode when the number of errors exceeds the error-correcting capability of the 
Gurus wami-Sudan algorithm \2U . 



5.2 Comparison among the Three Proposed Termination Cri- 
teria 

In Sec. 13.61 we proposed three criteria for terminating iteration of the proposed 
algorithm. From Tables [BBl one can see the following. The first criterion has the 
smallest number of iterations, and the second is the second smallest. On the other 
hand, the first criterion has the largest number of multiplications and divisions. 
The second and the third have the similar numbers. Only the first criterion was 
proposed in [18] and we see that the new criteria are better than the old one. 

The reason is as follows: The computation of quotient Cq/o'i at Step \T\ in 
Section 13.6.11 is costlier than updating fj^'^^ and g''f^ in Section 13.7.31 and the first 
criterion computes ao/o'i many times, which cancels the effect of decrease in the 
number of iterations. On the other hand, the second criterion computes ao/ai only 
once, so it has the smaller number of multiplications and divisions than the first. 

The second criterion is faster when 2t < dAciCr), while the third tends to 
be faster when 2t > JagCCf)- In addition to this, the ratio of the number of 
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iterations in the second criterion to that of the third is smaller with 2t < JagCCf) 
than with 2t > ^AoCCr)- We speculate the reason behind them as follows: When 
2t > JagCCf) and a wrong candidate is chosen at Eq. (|26|) . after several iterations 
of Sections 13.61 and I3.7[ we often observe in our simulation that no candidate 
satisfies Eq. (|26l) and the iteration stops automatically. Under such situation, the 
second criterion does not help much to decrease the number of iterations nor the 
computational complexity when a wrong candidate is chosen at Eq. (|26l) . and 
there are many occasions at which a wrong candidate is chosen at Eq. (|26l) when 
2t > JagCCf). On the other hand, when 2t < JagCCf), the second criterion helps 
to determine the transmitted information earlier than the third. 

5.3 Klein Quartic, (JagCCf), t) = (4, 1) or (10, 4) 

We can use flU [6l IH [TOl |29l to decode this set of parameters. It is essentially 
the forward elimination in the Gaussian elimination, and it takes roughly n^/3 
multiplications. In this case n^/3 = 4055. The proposed algorithm has the lower 
complexity than ll4l[6ll9l[T0ll29]|. 

5.4 Klein Quartic, (JagCCf), t) = (4, 2) or (4, 3) 

The code is C„ with u = 20, dim C„ = 18. There is no previously known algorithm 
that can handle this case. 

5.5 Klein Quartic, (dAGiCr), r) = (10, 5) 

The code is C„ with u = 13, dimC„ = 11. According to [|5l Fig. 1], we can use the 
original Guruswami-Sudan [[211 but it seems that its faster variant cannot be used. 
We need the multiplicity 7 to correct 5 errors. We have to solve a system of 23(7 + 
1)7/2 = 644 linear equations. It takes 644V3 = 89,029,994 multiplications in 
Fg. The proposed algorithm is much faster. 

5.6 Klein Quartic, (^AG(Cr), r) = (10, 6) 

The code is C„ with m = 13, dim C„ = 1 1 . There is no previously known algorithm 
that can handle this case. 
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5.7 Hermitian, (dAoiCr), r) = (6, 2) or (20, 9) 

We can use the BMS algorithm |l371[39l for this case. The complexity of [[37l[39ll 
is estimated as 0{a\n^) and a\n^ = 24,576. The complexity of the proposed 
algorithm seems comparable to [|37l |39l . However, we are not sure which one is 
faster. 



5.8 Hermitian, ((iAoCCr), r) = (6, 3) or (6, 4) 

The code becomes the Feng-Rao improved code with designed distance 6. Its 
dimension is 55. In order to have the same dimension by C„ we have to set u = 60, 
whose AG bound [3| is 4 and the Guruwsami-Sudan can correct up to 2 errors. 
The proposed algorithm finds all codewords in the improved code with 3 and 4 
errors. 



5.9 Hermitian, (JAoCCr), r) = (20, 10) 

The code is C„ with u = 44. The required multiplicity is 11, and the required de- 
signed list size is 14. The fastest algorithm for the interpolation step seems [|5l. [|5l 
Example 4] estimates the complexity of their algorithm as 0(A^n^{log Xnf log(log An)), 
where A is the designed list size. Ignoring the log factor and assuming the scaling 
factor one in the big-0 notation, the number of multiplications and divisions is 
A^rp- = 2,202,927, 104. The proposed algorithm needs much fewer number of 
multiplications and divisions in Fig. 

5.10 Hermitian, (dAoiCr), r) = (20, 1 1) 

The Guruwsami-Sudan algorithm [1211 can correct up to 10 errors and there seems 
no previously known algorithm that can handle this case. 

5.11 Garcia-Stichtenoth (Example©, (dAoiCr), r) = (6, 2), (10, 4), 
or (20, 9) 

We can use [H [61 |9l HOl |29l to decode this set of parameters. It is essentially 
the forward elimination in the Gaussian elimination, and it takes roughly n^/3 
multiplications. In this case n^/3 = 152, 177. The proposed algorithm has the 
lower complexity than fl4ll6ll9l[T0ll29l. 



28 



5.12 Garcia-Stichtenoth (Example 111), (JagCCf), t) = (6, 3) 

This is a Feng-Rao improved code with dimension 58. In order to realize a code 
with the same dimension, we have to set m = 79 in C„. The Guruswami-Sudan 
algorithm [|2T]| can correct no error in this set of parameters . There seems no 
previously known algorithm that can handle this case. 

5.13 Garcia-Stichtenoth (Example 111), (dAoiCr), r) = (10, 5) 

This is a Feng-Rao improved code with dimension 52. In order to realize a code 
with the same dimension, we have to set a = 73 in Q,. The Guruswami-Sudan 
algorithm [21 J can correct 2 errors in this set of parameters. There seems no 
previously known algorithm that can handle this case. 

5.14 Garcia-Stichtenoth (Example 111), (JAG(Cr), r) = (20, 10) 

This is an ordinary one-point AG code C„ with m = 58 and dimension 37. The 
Guruswami-Sudan algorithm [21] can correct 10 errors with the multiplicity 154 
and the designed list size 178. We have to solve a system of 77 x (154 -I- 1)154/2 = 
918,995 linear equations. It takes 918,995^3 = 258,712,963,551,308,291 
multiplications in Fg. The proposed algorithm is much faster. 

5.15 Garcia-Stichtenoth (Example 111), (dAoiCr), r) = (20, 1 1) 

The Guruswami-Sudan algorithm [[211 can correct up to 10 errors and there seems 
no previously known algorithm that can handle this case. 

6 Conclusion 

In this paper, we modified the unique decoding algorithm for plane AG codes in 
[|25l so that it can support one-point AG codes on any curve, and so that it can 
do the list decoding. The error correction capability of the original [ |25| and our 
modified algorithms are also expressed in terms of the minimum distance lower 
bound in [3]. 

We also proposed procedures to compute products and quotients in coordinate 
ring of affine algebraic curves, and by using those procedures we demonstrated 
that the modified decoding algorithm can be executed quickly. Specifically, its 
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computational complexity is comparable to the BMS algorithm [|37l [391 for one- 
point Hermitian codes, and much faster than the standard list decoding algorithms 
lIHIllj for several cases. 

The original decoding algorithm [.25J allows parallel implementation on cir- 
cuits like the Kotter architecture [l24l . Our modified algorithm retains this ad- 
vantage. Moreover, if one can afford large circuit size, the proposed list decoding 
algorithm can be executed as quickly as the unique decoding algorithm by parallel 
implementation on a circuit. 
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